Spotify Android Application at Issue in Breach

Description

Users of Spotify on Android will soon be asked to update the application after a breach was reported this morning by the streaming music service’s chief technology officer.

Oskar Stal wrote on the company’s website that the company is investigating unauthorized access to its systems and internal company data. He also wrote that certain users will be asked to reset their passwords.

“Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information,” Stal said. “We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.”

Spotify is limiting updates to only its Android users and is not recommending any action for iOS and Windows Phone users.

Android users will be prompted to upgrade in the coming days

Android users will be prompted to upgrade in the coming days, Stal said.

Spotify head of U.S. communications Graham Jones would not answer questions via email as to why only the Android application was being updated, why only one user was reportedly affected, whether the user’s app was downloaded from Google Play or a third party, or when the attack was discovered.

“We’re not going into any further detail beyond what is on the blog post,” Jones said.

Spotify, which recently announced it had 10 million global subscribers, has had a fairly tranquil security reputation. Its last publicly reported security incident was almost 13 months ago when a new Google Chrome plug-in at the time allowed users to download copies of songs for free.

The extension, known as Downloadify, was pulled from the Chrome Web Store almost immediately. The plug-in exploited a vulnerability in the company’s Web-based player. A user could take advantage of it to download an MP3 of the song as it started playing. The vulnerability allowed a bypass of the file’s digital rights management protection. Copies of the plug-in were also found on third party sites, including GitHub.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

Protected by

{"id": "THREATPOST:E50F39BEBA6B182BF72BBAA4E010B80F", "hash": "289efd9a99c665ae0e91bd989cfa9e99", "type": "threatpost", "bulletinFamily": "info", "title": "Spotify Android Application at Issue in Breach", "description": "Users of Spotify on Android will soon be asked to update the application after a breach was reported this morning by the streaming music service\u2019s chief technology officer.\n\nOskar Stal wrote on the company\u2019s [website](<https://support.spotify.com/us/problems/#!/article/downloading-android-update>) that the company is investigating unauthorized access to its systems and internal company data. He also wrote that certain users will be asked to reset their passwords.\n\n\u201cOur evidence shows that only one Spotify user\u2019s data has been accessed and this did not include any password, financial or payment information,\u201d Stal said. \u201cWe have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.\u201d\n\nSpotify is limiting updates to only its Android users and is not recommending any action for iOS and Windows Phone users.\n\nAndroid users will be prompted to upgrade in the coming days\n\nAndroid users will be prompted to upgrade in the coming days, Stal said.\n\nSpotify head of U.S. communications Graham Jones would not answer questions via email as to why only the Android application was being updated, why only one user was reportedly affected, whether the user\u2019s app was downloaded from Google Play or a third party, or when the attack was discovered.\n\n\u201cWe\u2019re not going into any further detail beyond what is on the blog post,\u201d Jones said.\n\nSpotify, which recently announced it had 10 million global subscribers, has had a fairly tranquil security reputation. Its last publicly reported security incident was almost 13 months ago when a new Google Chrome plug-in at the time allowed users to [download copies of songs for free](<http://threatpost.com/spotify-fixes-security-hole-that-allowed-free-song-downloads/100407>).\n\nThe extension, known as Downloadify, was pulled from the Chrome Web Store almost immediately. The plug-in exploited a vulnerability in the company\u2019s Web-based player. A user could take advantage of it to download an MP3 of the song as it started playing. The vulnerability allowed a bypass of the file\u2019s digital rights management protection. Copies of the plug-in were also found on third party sites, including GitHub.\n", "published": "2014-05-27T12:35:49", "modified": "2014-05-27T20:06:17", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/spotify-android-application-at-issue-in-breach/106290/", "reporter": "Michael Mimoso", "references": ["https://support.spotify.com/us/problems/#!/article/downloading-android-update", "http://threatpost.com/spotify-fixes-security-hole-that-allowed-free-song-downloads/100407"], "cvelist": [], "lastseen": "2018-10-06T22:58:46", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-10-06T22:58:46", "rev": 2}, "dependencies": {"references": [], "modified": "2018-10-06T22:58:46", "rev": 2}, "vulnersScore": 0.0}, "objectVersion": "1.4", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"]}